Restrict Zone Transfers

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Use the following procedure to specify IP addresses that are allowed to receive a zone transfer. By default, zone transfers are disabled for zones that are AD integrated. For non-AD integrated zones, default settings allow zone transfers only to servers that are listed on the Name Servers tab. For increased security, disable all zone transfers unless they are required. If required, configure this setting to allow zone transfers only to specified IP addresses.

Note

If you allow zone transfers to any server, all resource records in the zone are viewable by any host that can contact your DNS server.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Restricting zone transfer settings

  • Using the Windows interface

  • Using a command line

To configure zone transfer settings using the Windows interface

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, click the name of the DNS server you wish to configure, and then open Forward Lookup Zones or Reverse Lookup Zones.

  3. Right-click the name of the zone you wish to configure, and then click Properties.

  4. On the Zone Transfers tab, do one of the following:

    • To disable zone transfers, clear the Allow zone transfers check box and the click OK.

    • To allow zone transfers, select the Allow zone transfers check box, and then do one of the following:

      • To allow zone transfers to any server, select To any server and then click OK.

      • To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, select Only to servers listed on the Name Servers tab and then click OK.

      • To allow zone transfers only to specific DNS servers, select Only to the following servers, add the IP address of one or more DNS servers, and then click OK.

To configure zone transfer settings using a command line

  1. Open an elevated command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd <ServerName> /ZoneResetSecondaries <ZoneName> {/NoXfr | /NonSecure | /SecureNs | /SecureList [<SecondaryIPAddress...>]}
    
Parameter Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) or omit the host name.

<ZoneName>

Required. Specifies the fully qualified domain name (FQDN) of the zone.

/NoXfr

Disables zone transfers for the zone.

/NonSecure

Permits zone transfers to any DNS server.

/SecureNs

Permits zone transfers only to DNS servers that are listed in the zone using name server (NS) resource records.

/SecureList

Permits zone transfers only to DNS servers that are specified by SecondaryIPAddress.

<SecondaryIPAddress>

Required, if /SecureList is specified. A list of one or more IP addresses for DNS servers that are permitted to obtain zone transfers.

Tip

To view the complete syntax for the dnscmd /ZonResetSecondaries command, type the following at a command prompt, and then press ENTER: dnscmd /ZoneResetSecondaries /help.

See Also

Concepts

Checklist: Implementing a Secure DNS Configuration